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Module Overview 


e Overview of AD DS 
e AD DS Physical Components 
e AD DS Logical Components 


Lesson 1: Overview of AD DS 


e Protocol 

e What is Authentication? 

e What is Authorization? 

e Why Deploy AD DS? 

e Centralized Network Management 
e Requirements for Installing AD DS 
e Overview of AD DS and DNS 

e Overview of AD DS Components 


Protocol 


e Lightweight Directory Access Protocol (LDAP) 
- X.500 Standard 
- Based on TCP/IP 


- A method for accessing, searching, and modifying a 
directory service 


- A client-server model 
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What ts Authentication? 


Authentication is the process of verifying a user's identity ona 
network 


Authentication includes two 


* Interactive logon: grants e Network authentication: 
access to the local computer grants access to network 
resources 
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What ts Authorization? 


Authorization is a process of verifying that an authenticated user has 
permission to perform an action 


« User accounts are issued 
security tokens during 


© Security principals are 
issued security identifiers 
(SIDs) when the account is 
created 


authentication that include 
the user’s SID and all 
related group SIDs 


© The security token is 
compared against the 
Discretionary Access Control 
List (DACL) on the resource 
and access is granted or 


denied J 
— 


« Shared resources ona 
network include access 
control lists (ACL) that 
define who can access the 


resource 
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Why Deploy AD DS? 


AD DS provides a centralized system for managing users, computers, 
and other resources on a network 


AD DS features Include: 


e Centralized directory 


* Single sign-on access 
* Integrated security 


* Scalability 


* Common management interface 
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Centralized Network Management 


AD DS centralizes network 
management by providing: 


Requirements for Installing AD DS 


* To install a new AD DS forest, you need to be local 
Administrator on the server. To install an additional 
domain controller in an existing domain, you need to 
be a member of the Domain Admins group. 


Credentials 


* Verify that a DNS infrastructure is in place. When you 
install AD DS, you can include DNS server 
installation, if it is needed. 


Domain Name l o 

System )DNS) * When you create a new domain, a DNS delegation is 

Infrastructure created automatically during the installation 
process. Creating a DNS delegation requires 
credentials that have permissions to update the 
parent DNS zones. 
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Overview of AD DS and DNS 


+ AD DS requires a DNS + AD DS domain names must 
infrastructure be DNS domain names 


DNS Domain 
Name 


© AD DS domain controller © DNS zones can be stored in 
records must be registered AD DS as Active Directory 
in DNS to enable other integrated zones 
domain controllers and 
client computers to locate 
the domain controllers 
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Component Overview 
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Data store 
Domain controllers 
Global catalog server 


Read-Only Domain 
Controller (RODC) 


Partitions 
Schema 
Domains 
Domain trees 
Forests 

Sites 


Organizational units (OUs) 


Lesson 2: Overview of AD DS Physical 
Components 


e Domain Controllers 

e Global Catalog Servers 
e Data Store 

e Replication 

e Sites 


Domain Controllers 


A domain controller is a server with the AD DS server role installed that 


has specifically been promoted to a domain controller 


Domain controllers: 


e Provide authentication and authorization services 


e Replicate updates to other domain controllers in the domain and 
forest 


* Allow administrative access to manage user accounts and 
network resources 
Windows Server 2008 and later supports RODCs 
Microsoft 
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Global Catalog Servers 


Global catalog servers are domain controllers that also store a copy of 


the global catalog 


The global catalog: 2 
e Contains a copy of all AD DS objects in a forest that includes 
only some of the attributes for each object in the forest 
e Improves efficiency of object searches by avoiding unnecessary 
referrals to domain controllers 


e Required for users to log on to a domain 
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What is the AD DS Data Store? 


The AD DS data store contains the database files and processes that 
store and manage directory information for users, services, and 


applications 


The AD DS data store: 


e Consists of the Ntds.dit file 


* Is stored by default in the %SystemRoot%\NTDS folder on all 
domain controllers 

* Is accessible only through the domain controller processes and 
protocols 
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What is AD DS Replication? 


AD DS replication copies all updates of the AD DS database to all other 


domain controllers in a domain or forest 


AD DS replication: 


e Uses a multimaster replication model 
* Can be managed by creating AD DS sites 


The AD DS replication topology is created automatically as new 
domain controllers are added to the domain 
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What are Sites? 


An AD DS site is used to represent a network segment where all 


domain controllers are connected by a fast and reliable network 
connection 


Sites are: 


e Associated with IP subnets 
* Used to manage replication traffic 
* Used to manage client logon traffic 


* Used by site aware applications such as Distributed File Systems 
(DFS) or Exchange Server 


* Used to assign group policy objects to all users and computers in 
a company location 
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Lesson 3: Overview of AD DS Logical 
Components 


e AD DS Schema 

e The Basics 

e Trusts 

e AD DS Objects 

e Demo: Installation and Management 


What Is the AD DS Schema? 
The AD DS Schema: 


e Defines every type of object that can be stored in the 
directory 


e Enforces rules regarding object creation and configuration 


What objects can be created in * User 
the directory - Computer 


! nhia Information that can be attached , p; 
Attribute Object to an object Display name 


Class Object 
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The Basics: Domains 


Domains are used to group and manage objects in 


an organization 


Domains: 


° An administrative boundary for applying policies to groups of 
objects 

° A replication boundary for replicating data between domain 
controllers 


* An authentication and authorization boundary that provides a 
way to limit the scope of access to resources 
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The Basics: Trees 


All domains in the tree: 


* Share a contiguous namespace with the parent domain 


* Can have additional child domains 


* By default create a two-way transitive trust with other domains 
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The Basics: Forests 


A forest is a collection of 
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one or more domain trees IN A A 


Forests: 


The Basics: Organizational Units (OUs) 


OUs are Active Directory containers that can contain users, groups, 
computers, and other OUs 


OUs are used to: 


e Represent your organization hierarchically and logically 


e Manage a collection of objects in a consistent way 


° Delegate permissions to administer groups of objects 


e Apply policies 
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The trust direction flows from 


trusting domain to the trusted C 
domain / AA / \ 
TRUST 


The trust relationship is 
extended beyond a two- 
domain trust to include other 
trusted domains 


* All domains in a forest trust all other domains in the forest 
Microsoft * Trusts can extend outside the forest 
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AD DS Objects 
User 


e Similar to a user account 


* Used for compatibility with other directory services 


* Used primarily to assign e-mail addresses to external 
users 


* Does not enable network access 


* Used to simplify the administration of access control 
a * Enables authentication and auditing of computer 
E access to resources 
* Used to simplify the process of locating and 
connecting to printers 
AA * Enables users to search for shared folders based on 
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DEMO: Installation and Management 


e Observe the installation of AD DS 
- Installation occurs without promotion to a domain 
controller 


e Domain Controller Promotion 

e Active Directory Users and Computers 
e Active Directory Administrative Center 
e Active Directory Sites and Services 


Module Review and Takeaways 


e Review Questions 
e Summary of AD DS 
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Thanks for Watching! 
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